Epic Game Store, Spyware, Tracking, and You!

So I've been poking at the Epic Game Store for a little while now. I'd first urge anyone seeing this to check out this excellent little post to see how things go titsup when tencent gets involved. Of course, it shouldn't even need to be stated that they have very heavy ties to the Chinese government, who do all sorts of wonderful things for their people, like building hard labor camps creating employment opportunities for minorities and Muslims, and harvesting organs from political prisoners for profit redistributing biomatter to help those less fortunate.

But this isn't about that, this is about what I've found after poking the Epic Game Store client for a bit. Keep in mind that I am a rank amateur - if any actual experts here want to look at what I've scraped and found, shoot me a DM and I can send you what I've got.

I'm sure that this hardware survey information it's apparently storing in the registry won't be used for anything nefarious or identifiable at all. Steam is at least nice enough to ask you to partake in their hardware surveys.

Now that's just what it's doing locally on the computer. Let's look at traffic briefly. Fiddler will, if you let it, install dank new root certs and sniff out/decrypt SSL traffic for you. Using it and actually reading through results is a right pain though, and gives me a headache - and I only let the Epic client run long enough to log in, download slime rancher, click a few things, and then I terminated the process. Even that gave me an absolute shitload of traffic to look through, despite filtering out the actual download traffic. The big concern that everyone has is tracking, right? Well, Epic does that in SPADES. Look at all those requests. Look at the delicious "tracking.js". Mmm, I'm sure Xi Jinping is going to love it. Here's a copy of that script, I couldn't make heads or tails of it, but I'm also unfamiliar with JS. It looks less readable than PERL, though.

I didn't see any massive red flags in the traffic. I didn't see any root certs being created. But I also had 279 logged connections to look at by hand, on an old laptop, and simply couldn't view it all, there's an absolute fuckload of noise to go through, and I didn't leave the client running for very long. It already took me hours to sort through the traffic, not to mention several hundred thousand entries in ProcMon.

If you want to replicate this, it's pretty easy. Grab Fiddler and set it up, enable SSL decryption (DON'T FORGET TO REMOVE THE CERTS AFTERWARDS), start up Epic, and watch the packets flow, like a tranquil brook, all the way to Tim Sweeney's gaping datacenters. Use ProcMon if you want an extremely detailed, verbose of absolutely everything that the client does to your computer, you'll need to play with filters for a while to get it right. And I'm sure there are better ways to view what's going on inside of network traffic - but I am merely a rank amateur.

I give this game storefront a final rating of: PRETTY SKETCHY / 10, with an additional award for association with Tencent. As we all know, they have no links to the Chinese government whatsoever, and even if they did, the Chinese government would NEVER spy on a foreign nation's citizens, any more than they would on their own.

I also welcome attempts from people who do this professionally to take a crack at figuring out what sorts of questionable things the Epic client does. Seriously, I'd love to know what you find.

NB: CreateFile in ProcMon can actually indicate that a file is being opened, not necessarily created.

edit: oh yeah it also does a bunch of weird multicast stuff that'll mess with any TVs on your network. Good job, Epic.

As for poking around for DLLs, especially fiddler, it might be anti-reverse engineering and anti-cheating stuff. It's shady, but anti-cheat shit is going to look shady as fuck and poke around in memory and enumerate your processes and potentially DLLs like that. Cheat prevention requires some serious shit, sometimes getting into ring-0 and running along OS code like a driver.

It looks like it checked for Fiddler and I figure it might be checking to see if you're capturing the internet traffic and doing anything funny. It obviously doesn't want you reading and modifying the traffic it sends. That is probably anti-hack sort of stuff, but it could also be they don't want people to analyze what it sends at all. It's concerning and also not concerning IMO. It could mean they send back a shit ton of metrics they shouldn't need to record, it could be they're just preventing game hacks and preventing people from reverse engineering how it does that, and how it notifies Epic stuff.

For example, let's say you run WallHack.exe, some common hack for a game. They enumerate the processes and phone home, discover you're a hacker, then ban you... but someone uses fiddler and sees them doing that, and removes WallHack.exe from what it phones home, now they don't know. Well, they're going to want to know to trust what you just sent, so they might also check for fiddler and burp proxy and stuff, and then just not let your game launch if you're fucking around or something.

Anti-cheating/hacking is a crazy, crazy world where it's technologies and counter-technologies and going lower and lower level until someone wins. They do everything they can. I've heard that sometimes hackers even go pretty much ring -1 by hooking into a hypervisor running a VM running the game... People go to great lengths to hack, and they go to great lengths to prevent hacking.

If they try to do anti-cheat stuff, there's going to be a lot of false positives that look really bad but might be legitimate anti-cheat techniques. But, they could also be recording tons of metrics and selling data. There's nothing stopping them. I don't know. The kind of info they would need to REALLY attack cheating would also look suspicious af, so it's hard to know without being on the inside. I'm honestly not surprised, and it's not too much of a deal breaker for me... the PC I use to game, I don't use for anything else that's personal. You kind of just have to accept that anti-cheat stuff is going to do shady stuff because it has to.

I would agree... but would it be running anti-cheat software before I even installed any games? On top of that, anti-cheat software that's built into the main epic store EXE, and not its own separate thing? Fortnite, for example, uses EAC.

Why bother making a copy of that file??? (which contains all your friends, every game you own, when you last played, etc) I suspect they didn't want access it more than once for fear of getting caught which they now are. Also, hopefully Steam will properly encrypt this file to keep other nefarious companies from accessing this data.

Further info: The timestamp of the stolen copy of localconfig.vdf ( C:\ProgramData\Epic\SocialBackup\ *.bak ) is 1 minute after the timestamp of C:\Program Files (x86)\Epic Games\ so this information is taken right at launch, possibly even during install.

LOL fuck... I'm really glad someone caught that. I find it much worse they even XOR against 0xff (ignoring it as a bad "encryption" scheme even) because that makes it incredibly obvious they're trying to hide it, which shows they know it's completely unethical. This is pretty damn bad. That's a total privacy breach and incredibly shady business practice. I can't even think of a way to play devil's advocate here. It's just wrong.

With morals like that, who knows what else they do. Maybe some stuff is certainly cheat prevention, but I'd guess that they're also jacking a ton of metadata for personal gain on top of it even if.

They seem to claim this is just some friend import logic:

The launcher makes an encrypted local copy of your localconfig.vdf Steam file. However information from this file is only sent to Epic if you choose to import your Steam friends, and then only hashed ids of your friends are sent and no other information from the file.

​Hmm, has anyone verified this, or if they just grab the entire file and send it home? Depending on how they hash the IDs too, it might not be hard to just brute force them back to plaintext. If their version of an encrypted local version is XORing against FF then I doubt it's good.

I just went through the whole procedure of linking Steam to Epic via the Epic launcher so it can add friends and guess what, it didn't access that file once. Their entire justification of copying the file in their press response is for the friends functionality. And yet it isn't used during linking to Friends. (I use Procmon a lot, I set a filter for that file and confirmed when I accessed the file through command prompt that the access showed up, so I know it didn't miss the access)

Nice! Sounds like you've done malware analysis then? Procmon is the right tool for the job.

I'd say checking the traffic with Fiddler might be interesting, but as the guy above mentioned it checks for the Fiddler DLL so maybe it uses anti-analysis techniques like real malware :/ Could be a tough one to analyze in depth. This all sounds shady though, and if it is as bad as it sounds and if they're intentionally trying to make it sound benign when it's not, they're worth being called out

I'm getting back to work in a bit so I won't be able to do network analysis, but I'm a longtime hacker - nothing specifically with malware analysis. When I get time I'll look some more but hopefully others will do some more poking around too.

One thing I realized from a comment on another forum is that this file will also contain games you have purchased that aren't even released yet. Epic could use that information to target other developers to pull them away from Steam like they did with Coffee Stain's Satisfactory. Satisfactory was originally pre-sale on Steam and was doing well when Epic swooped in and convinced them to make it an Epic exclusive.

Have you tried temporarily rejecting all access to the files EGL accesses? If the launcher boots fine, there's no errors, no missing features and no crashes then we can probably assume that it's akin to data collection and data mining. If it's vital to the way the program runs (like the VP of Engineering has implied about friends list) then it should crash.

At this point I don't know why they made a copy of the file with XOR but yeah, it's super suspicious. Had they simply grabbed the file once during Epic launcher install and sent it away to their servers without leaving evidence, it's doubtful we would even know about this. Luckily criminals usually leave evidence.

I actually uninstalled the program before downloading any games because of how surprisingly taxing it was as a background program. It was taking 3 to 5 percent CPU usage for no reason. I didn't have any games! I figured it was taking something aggressively or was just very bugged on my setup.

But what about international laws that prohibit the “UNAUTHORISED” access to your computer/network. It is impossible to not infringe upon these laws utilising such intrusive techniques, regardless of the intended purpose.